TY - GEN
T1 - Analyzing android application in real-time at kernel level
AU - Ruan, Hao
AU - Fu, Xiao
AU - Liu, Xuanyu
AU - Du, Xiaojiang
AU - Luo, Bin
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/9/14
Y1 - 2017/9/14
N2 - The wide spread of mobile devices has also caused the explosive growth of malwares. Application behavior analysis is a popular technique to fight against malwares. However current app behavior analysis methods still have some limitations. For example, many popular dynamic analysis methods are built on Dalvik virtual machines. They cannot disclose the behavior of native code. VMI based methods can overcome this limitation but they're executed in simulated environments. Now malwares can detect where they are running so as to hide the illegal behaviors by anti-forensic techniques. Considering these, we present the DroidRevealer. It is based on kernel-level system calls monitoring and it's running on real android devices. By intercepting and interpreting certain file/network related and android-specific system calls, it can reconstruct app behaviors in real-time. It's difficult to evade as it runs in the kernel. And its results do not simply focus on a single kind of behavior or a single app. Instead it is data oriented, i.e. it monitors how the target data source is used. The result is presented as an intelligible graph which can provide both a good basis for detection and crucial evidence for forensics. Experiments have proved that the performance of our method is acceptable.
AB - The wide spread of mobile devices has also caused the explosive growth of malwares. Application behavior analysis is a popular technique to fight against malwares. However current app behavior analysis methods still have some limitations. For example, many popular dynamic analysis methods are built on Dalvik virtual machines. They cannot disclose the behavior of native code. VMI based methods can overcome this limitation but they're executed in simulated environments. Now malwares can detect where they are running so as to hide the illegal behaviors by anti-forensic techniques. Considering these, we present the DroidRevealer. It is based on kernel-level system calls monitoring and it's running on real android devices. By intercepting and interpreting certain file/network related and android-specific system calls, it can reconstruct app behaviors in real-time. It's difficult to evade as it runs in the kernel. And its results do not simply focus on a single kind of behavior or a single app. Instead it is data oriented, i.e. it monitors how the target data source is used. The result is presented as an intelligible graph which can provide both a good basis for detection and crucial evidence for forensics. Experiments have proved that the performance of our method is acceptable.
KW - Behavior analysis
KW - Dynamic analysis
KW - Malware detection
KW - Mobile forensics
UR - http://www.scopus.com/inward/record.url?scp=85032259417&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85032259417&partnerID=8YFLogxK
U2 - 10.1109/ICCCN.2017.8038362
DO - 10.1109/ICCCN.2017.8038362
M3 - Conference contribution
AN - SCOPUS:85032259417
T3 - 2017 26th International Conference on Computer Communications and Networks, ICCCN 2017
BT - 2017 26th International Conference on Computer Communications and Networks, ICCCN 2017
T2 - 26th International Conference on Computer Communications and Networks, ICCCN 2017
Y2 - 31 July 2017 through 3 August 2017
ER -